Few Banks Use Extended Validation Certificates

2008-08-04

Normal version

The latest thing against phishing are extended validation (EV) certificates. Supported by Firefox 3 and Internet Explorer 7, these certificates promise that the site has gone through a more extensive validation of its owner than ordinary SSL certificates. However, when it comes to market adoption after almost two years availability, these new certificates have failed badly. Only thirty percent of the world's largest banks already present an EV certificate in their online banking application.

Location
  bar for a site with an EV certificate in Firefox 3

Location bar for a site with an EV certificate in Firefox 3
(click to enlarge)

Especially when looking at the recent DNS vulnerability, I wouldn't be too surprised if some certificates ended up in the wrong hands. But even back in 2005, I argued for Firefox treating certificates differently according to the level of validation that had been carried out. Therefore, when EV certificates came up I thought they were a good thing. However, it seems the market thinks otherwise. Of the ten largest banks, only Bank of America, The Bank of Tokyo-Mitsubishi UFJ and The Royal Bank of Scotland use EV certificates1. Of course, this may as well mean that banks are rather conservative and are not early adaptors of new technology. But I have the feeling that banks will not react until real money is lost, even though we have already seen phishing with proper certificates.

In Germany, where I live, the situation is slightly better. Here, five of the ten largest banks offering online banking already have EV certificates installed. However, only one (Postbank) documents its use of such a certificate in the security guidelines.

Although the real benefit of EV certificates is still subject to debate, not using them might also create liability risks. A phishing victim may well ask why his bank did not implement the latest security measure.

1 Results may vary for banks operating in multiple countries. When in doubt, I always used the US site.

Copyright 2006--2011 Hendrik Weimer. This document is available under the terms of the GNU Free Documentation License. See the licensing terms for further details.